Port of Antwerp-Bruges: a critical economic driver
The Port of Antwerp-Bruges is the second-largest port in Europe and stands as Belgium’s most vital economic driver, contributing 4.5% to the national GDP. It is a global hub that hosts 1,400 companies, handles over 20,000 seagoing vessels annually, and facilitates 15% of the EU’s gas market. Daily operations are underpinned by a substantial digital and physical footprint, including three data centres and over 170 kilometres of fibre optic cables. For an entity managing essential processes like maritime traffic coordination and bridge control, cyber security is a matter of operational integrity and national stability. “It goes without saying that we have a lot of digital assets,” Yannick Herrebaut, Cyber Resilience Manager and CISO at the Port explains. “So as a port operator, it’s very important that our information is available and that the integrity is guaranteed.”
The growing challenge of supply chain security
The cybersecurity landscape is increasingly defined by backdoor attacks that target software and service providers to reach their ultimate victims. High-profile incidents like the SolarWinds breach, the Kaseya ransomware attack, and vulnerabilities in open-source components like Log4j and the XZ backdoor have proven that no organisation is an island. According to the WEF Global Cybersecurity Outlook, supply chain vulnerabilities are now the top challenge to becoming cyber resilient. Furthermore, the NIS2 directive now legally mandates the implementation of supply chain security measures. “Third-party or supply chain vulnerabilities are at the top and even increasing,” Yannick Herrebaut observes. “This is really a priority to become a truly cyber-resilient organisation”.
Key actions for supply chain security
“Organisations need to take a few overall key actions in mind when it comes to supply chain cyber security,” explains Yannick Herrebaut. First, they should embed secure coding practices into the development process by enforcing clear responsibilities, using only trusted open-source components, and putting accountability mechanisms in place to reduce vulnerabilities at the source.
In addition, transparency is essential. A Software Bill of Materials (SBOM) helps provide visibility into all software components, making it easier to identify and manage potential risks. Continuous monitoring is another critical pillar. Regular vulnerability scanning, timely updates, and the use of AI for proactive threat detection can significantly improve resilience while reducing the pressure to compromise on security for speed.
Finally, organisations need to strengthen vendor management. This means implementing robust vendor management practices, conducting thorough risk assessments, enforcing strict security standards for third parties, auditing regularly, and limiting access to sensitive systems to reduce exposure to external threats. And this is where TPRM comes in.
A risk-based approach to TPRM
At the heart of Port of Antwerp Bruges’ TRPM approach is a TPRM policy that categorises vendors into four tiers based on a cumulative weighting of risk criteria. These criteria include the implementation type (hardware, software, or SaaS), the sensitivity of the data processed (such as PII/GDPR), the criticality of the business process involved, and the characteristics of the user base. “Simply put, the supplier of printing paper does not have to adhere to the same rules as the vendor of our ERP system,” Yannick Herrebaut notes.
All tiers need to adhere to Non-Functional Requirements and if applicable a cyber security policy for third party contractors and signed declaration for external access, when applicable. Tier 1 (Very High Risk) identifies critical vendors whose failure would lead to serious, hard-to-manage operational impacts. Consequently, these partners have a quantitatively managed security rating score, must undergo continuous monitoring and provide ISO 27001 certification or CyFun verification to ensure NIS2 compliance. Vendors classified under Tier 2 (High Risk) present a significant impact that can be mitigated through appropriate measures. They have a defined security rating score and need to comply with standard security questionnaires. Tier 3 (Medium Risk) partners, whose potential failures have a reasonable but manageable effect, are managed via security rating scores and point-in-time assessments conducted at the moment of contract signing. Finally, Tier 4 (Low Risk) vendors have a minimal impact on operations and are required to adhere to the essential measures for all tiers and standard security policy clauses.
“Our TPRM policy and all applicable measures are published on our website,” Yannick Herrebaut explains. “I think it is only fair to be transparent with vendors; if they enter into a bidding process or answer an RFP, they should know exactly what they are getting into and what our security requirements will be from the very start.”
The TRPM process explained
The Port’s TPRM process itself follows four essential stages: Evaluation, Engagement, Remediation, and Monitoring. It begins with internal Evaluation, the mentioned tiering vendors based on implementation type, data sensitivity, and business criticality. During Engagement, high-risk partners must complete NIST-aligned questionnaires. If vulnerabilities surface, Remediation establishes a strict compliance timeframe; failure to resolve risks leads to contract termination. Finally, as mentioned, the Port conducts continuous Monitoring for Tier 1 vendors, ensuring security remains a persistent commitment rather than a one-time check to protect critical infrastructure.
Yannick Herrebaut: “The Port uses a digital platform to centralise these security rating scores and questionnaires. To avoid questionnaire fatigue, the assessments are kept pragmatic, with even the most extensive list limited to 39 NIST-aligned questions.”
No silver bullet
Despite this structured approach, Yannick Herrebaut acknowledges that TPRM is not a “silver bullet” and faces several real-world limitations. Complex construction projects involving many layers of subcontractors make it difficult to reach the small IT providers tucked under main contractors. Furthermore, “Shadow IT” purchases made via credit cards or through other government frame agreements can bypass standard procurement controls.
There is also the challenge of the “backlog” or existing contracts signed before the policy was implemented. Yannick Herrebaut notes that these risks must be addressed gradually as contracts expire rather than trying to break open every old agreement. Finally, for “unique” vendors that cannot comply, the Port uses a formal exception management procedure. Crucially, this involves a transfer of risk ownership. “You can use this vendor if you really want to, but you also accept the risk… and you are responsible for taking risk-mitigating measures,” Yannick Herrebaut warns business units. This requirement for documented accountability often leads business owners to reconsider their choice once they have to put things on paper.
A pragmatic approach to managing the digital ecosystem
The Port of Antwerp-Bruges’ journey demonstrates that supply chain security requires a balance of policy transparency and pragmatic implementation. By tiering vendors based on their specific business context and ensuring clear internal accountability for risk, the Port has moved from being a passive recipient of software to an active gatekeeper of its digital ecosystem. The key takeaway for any organisation is that while a policy is easy to write, its real value lies in active vendor engagement and the clear documentation of risk ownership.
This article is based on a presentation given by Yannick Herrebaut (cf. photo) at the 2026 GRC: Be Connected! Event.
